A newly identified phishing campaign is targeting Microsoft 365 accounts by abusing the platform's device-code authentication flow, according to security firm ZeroBEC. Dubbed 'DEBULL Tooling,' the operation lures victims into approving a legitimate Azure AD device login request, subverting traditional detection mechanisms.

The campaign has been active since late June 2026, with active exploitation observed through early July. By using the legitimate device-code flow, attackers bypass password-based phishing defenses and MFA fatigue tactics, as the login request is initiated through Microsoft's own authentication interface.

Victims receive a collaboration-themed lure—likely a fake meeting invitation or file share request—that directs them to visit a Microsoft device-login URL and enter a code. Once the victim authenticates, the attacker gains an access token with the session's granted permissions.

ZeroBEC reports the attack does not rely on a fake password harvesting page, making it harder for users and email gateways to flag as malicious. The token theft grants persistent access to M365 accounts, enabling data exfiltration or lateral movement.

As of now, the campaign's attribution remains unclear. Organizations are advised to educate users about device-code flow risks and monitor for unexpected device-login requests in Azure AD logs.